Firebase REST API Authenticate With Phone Number

Question

I am using PAW to try and test different cloud functions deployed with Firebase. The app uses phone authentication, however currently there is little to no documentation on how to accomplish phone number authentication via REST API.

I have whitelisted a phone number for testing as per instructions here.

It appears that what I need to do is call on the verifyPhoneNumber method, which I have pieced together that the REST API endpoint I need is in the format:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPhoneNumber?key={WEB_API_KEY}

Now where I get stuck is in trying to pass the data that is expected. It looks like this endpoint expects a phoneNumber and an applicationVerifier object. I've pieced this together from the corresponding documentation here.

I try to make a request that looks like:

POST /identitytoolkit/v3/relyingparty/verifyPhoneNumber?key={WEB_API_KEY}
Content-Type: application/json; charset=utf-8
Host: www.googleapis.com
Connection: close
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.6) GCDHTTPRequest
Content-Length: 73

{"phoneNumber":"+18035551111","applicationVerifier":{"type":"recaptcha"}}

The response I receive is:

HTTP/1.1 400 Bad Request
Vary: X-Origin
Vary: Referer
Content-Type: application/json; charset=UTF-8
Date: Thu, 13 Sep 2018 16:35:33 GMT
Server: ESF
Cache-Control: private
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Connection: close

{
  "error": {
    "code": 400,
    "message": "MISSING_SESSION_INFO",
    "errors": [
      {
        "message": "MISSING_SESSION_INFO",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

I'm not sure what I'm doing wrong at this point as I'm running out of documentation and sort of just blindly guessing parameters now. How can I authenticate via white-listed phone number via REST API for testing?

Answer 1

After a lot of research (I'm struggling to create automated tests for my "login with phone" flow), I finally found a solution for this, based on @Danut Pralea's answer. Hopefully it will help people in future :)

Considering that your phone number is already whitelisted (as mentioned in the question), first step would be a call to firebase to send the verification code:

POST /v1/accounts:sendVerificationCode?key={WEB_API_KEY} HTTP/1.1
Host: identitytoolkit.googleapis.com:443
Content-Type: application/json
Content-Length: 39

{
    "phoneNumber": "{PHONE_NUMBER}"
}

The response will be the sessionInfo, like this:

{
    "sessionInfo": "ALiwoWJhYJgtFav1DKc0yBoTwcjjiyQNu240eDJ76GmlH-2i3RmHAYamaPkx3rjEmOBcgrua5QfLw8Nrn_QwjVPO6N09fYsiWQha0-5o2Jb5Hwqxkw7qwsl6YK0gotZ16HmiwqJkyd-stAXTVU1ZIBUwfrFqZmFY7g"
}

Then, the next step is to use login in firebase with the code (same used in the whitelisting) and the session info:

POST /v1/accounts:signInWithPhoneNumber?key={WEB_API_KEY} HTTP/1.1
Host: identitytoolkit.googleapis.com:443
Content-Type: application/json
Content-Length: 207

{
    "sessionInfo": "ALiwoWJhYJgtFav1DKc0yBoTwcjjiyQNu240eDJ76GmlH-2i3RmHAYamaPkx3rjEmOBcgrua5QfLw8Nrn_QwjVPO6N09fYsiWQha0-5o2Jb5Hwqxkw7qwsl6YK0gotZ16HmiwqJkyd-stAXTVU1ZIBUwfrFqZmFY7g",
    "code": 123456
}

And that's it! Response will be something like:

{
    "idToken": "idToken",
    "refreshToken": "refreshToken",
    "expiresIn": "3600",
    "localId": "localId",
    "isNewUser": false,
    "phoneNumber": "{PHONE_NUMBER}"
}

More info in the official documentation: https://cloud.google.com/identity-platform/docs/reference/rest/v1/accounts

Answer 2

1. Create you verification code request (the key is an environment variable)

2. (but this is optional) make the session info a Body Response Dynamic Value

3. Create your verify phone number request

4. (again, optional) make the idToken also a Body Response Dynamic Value

5. Use the idToken dynamic value in any other subsequent requests you perform to Firebase

The best part about adding the variables as Body Response Dynamic Values is you can chain them and call them in a sequence: